Summary: | <net-proxy/tinyproxy-1.8.3-r3: Multiple headers hashmap DoS (CVE-2012-3505) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | taaroa <taaroa> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-proxy+disabled, pacho |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://access.redhat.com/security/cve/CVE-2012-3505 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 476034 |
Description
taaroa
2012-08-20 10:47:53 UTC
Thanks for the bug, taaroa. Patches attached to the upstream bug in c0. CVE-2012-3505 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3505): tinyproxy before 1.8.3-3 allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that are hashed into the same bucket. + 30 May 2013; Tom Wijsman <TomWij@gentoo.org> ChangeLog, + +tinyproxy-1.8.3-r2.ebuild, +files/tinyproxy-1.8.3-r2.initd, + +files/tinyproxy-1.8.3-r2-DoS-Prevention.patch: + Use /run instead of /var/run, fixes bug #444167. Apply DoS Prevention + patches, temporary fixes for bug #432046. Fix ChangeLog issues; there was an + empty log message above header by flameeyes and an empty message by jer. (In reply to Tom Wijsman (TomWij) from comment #3) > + 30 May 2013; Tom Wijsman <TomWij@gentoo.org> ChangeLog, > + +tinyproxy-1.8.3-r2.ebuild, +files/tinyproxy-1.8.3-r2.initd, > + +files/tinyproxy-1.8.3-r2-DoS-Prevention.patch: > + Use /run instead of /var/run, fixes bug #444167. Apply DoS Prevention > + patches, temporary fixes for bug #432046. Fix ChangeLog issues; there was > an > + empty log message above header by flameeyes and an empty message by jer. Maybe -r3 could be stabilized instead of -r2 as the only differences are systemd unit files installation @maintainers: if it's okay to stable, please CC arches with your target version. Ok with 1.8.3-r3 then? Please stabilize =net-proxy/tinyproxy-1.8.3-r3. Target keywords: alpha amd64 ia64 ppc sparc x86 amd64 stable x86 stable ia64 stable alpha stable ppc stable sparc stable GLSA request filed. @maintainers: cleanup please. Hm, that was supposed to be glsa?. Oh well. Request still filed. + 10 Oct 2013; Tom Wijsman <TomWij@gentoo.org> -tinyproxy-1.8.3-r1.ebuild, + -tinyproxy-1.8.3-r2.ebuild, -tinyproxy-1.8.3.ebuild: + Cleanup of old ebuilds for security bug #432046 This issue was resolved and addressed in GLSA 201312-15 at http://security.gentoo.org/glsa/glsa-201312-15.xml by GLSA coordinator Sergey Popov (pinkbyte). |